What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version where the nf_conntrack_sip module correctly handles the Content-Length header by using an unsigned long type and rejecting invalid values.

Therefore, the immediate step to mitigate this vulnerability is to apply the latest Linux kernel updates or patches that include this fix.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_sip module. The function sip_help_tcp() parses the SIP Content-Length header using simple_strtoul(), which returns an unsigned long value. However, the result is stored in an unsigned int variable named clen. On 64-bit systems, if the Content-Length value exceeds the maximum value of an unsigned int (UINT_MAX), it gets silently truncated.

For example, a Content-Length value of 4294967328 (which is 2^32 + 32) is truncated to 32. This causes the parser to miscalculate the boundary of the SIP message, leading the loop to mistakenly treat trailing data in the TCP segment as a second SIP message and process it incorrectly through the SDP parser.

The fix involved changing the clen variable to unsigned long to match the return type of simple_strtoul() and rejecting Content-Length values that exceed the remaining TCP payload length.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause the SIP message parser to misinterpret the boundaries of SIP messages due to truncation of the Content-Length header value. As a result, trailing data in a TCP segment may be incorrectly processed as a separate SIP message.

Such misinterpretation could lead to incorrect processing of network traffic, potentially causing unexpected behavior in SIP communications, which might be exploited to disrupt services or cause denial of service conditions.

Useful 0 Not Useful 0